Hello. We are using nginx as a reverse-proxy feeding into a Django/WSGI/gunicorn environment. We are planning to upgrade the web site and need to show a custom 503 page. This is trivial, but we also need to be able to access the web site internally at the same time for testing. The methods of doing this that I can find all use $remote_addr or some variant on pulling the X-Forwarded-For header to "turn off" maintenance mode when accessing the site internally through a browser. Unfortunately, I have been unable to pull the actual IP address. I have tried several variations on using the X-Forwarded-For, X-Real-IP, X-Cluster-Client-IP etc. and have found that the only IP address I am able to pull is the proxy. I understand that the X-Forwarded-For header is of the format : {client, proxy1, proxy2...} and I have been unable to find anything in the NGINX docs to ensure I am pulling only the leftmost IP address. Here is an example my config file (edited for privacy)

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}


http {
#include /etc/nginx/mime.types;
#default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$proxy_add_x_forwarded_for"'
'"$http_x_real_ip"';

access_log /var/log/nginx/access.log main;


#sendfile on;
#tcp_nopush on;

#keepalive_timeout 65;

#gzip on;

server {
set_real_ip_from xxx.xxx.xxx.xxx/32;
real_ip_header X-Forwarded-For;
listen xxx.xxx.xxx.xxx:443;
server_name no.business.com;

ssl on;
ssl_certificate /usr/local/nginx/certs/no.business.com.crt;
ssl_certificate_key /usr/local/nginx/certs/no.business.com.key;
root /usr/share/nginx/html;



location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
proxy_pass http://localhost:xxxx/;
set $maintenance on;
if ($remote_addr = "xxx.xxx.xxx.xxx") {
set $maintenance off;
}
if ($maintenance = on) {
return 503;}
}




error_page 503 /maintenance.html;

location = /maintenance.html {
root /usr/share/nginx/html;
}
location /robots.txt {
root /usr/share/nginx/html;
}
}

Again, I have tried several variations on pulling the real IP, to no avail. Here is a copy of the relevant log entries (I edited out the "http_user_agent" field for brevity). As you can see, both the $remote_addr and the ,in this case, $proxy_add_x_forwarded_for fields show the proxy IP, while the $http_x_real_ip field is blank.

172.16.1.10 - - [08/Apr/2013:16:25:27 -0400] "GET / HTTP/1.1" 200 5652 "-" "172.16.1.10""-"
172.16.1.10 - - [08/Apr/2013:16:25:44 -0400] "GET / HTTP/1.1" 200 5652 "-" "172.16.1.10""-"
172.16.1.10 - - [08/Apr/2013:16:26:58 -0400] "GET / HTTP/1.1" 200 5652 "-" "172.16.1.10""-"
172.16.1.10 - - [08/Apr/2013:16:27:07 -0400] "GET / HTTP/1.1" 200 5652 "-" "172.16.1.10""-"
172.16.1.10 - - [08/Apr/2013:16:27:09 -0400] "GET / HTTP/1.1" 200 5652 "-" "172.16.1.10""-"

Any insights or assistance would be greatly appreciated!

Thank You

Turns out the X-Real-IP variable is being pulled OK in our production environment anyway, so we can work around. Thanks everyone.